The actual command being injected is set by the url, `-u./payload`points the `upload-pack` flag of git clone to the `payload` shellscript. Note also the `:` within the path, this part is needed toactually get the `payload` script executed.

The path will end up as the repository URL in the subsequent `clone`operation:

The constraint to have a colon in the `path` seems to hinder exploitation on Windowsas a colon is a forbidden character within a path on Windows. However as noted bysome people during the disclosure: Git running within the Windows Subsystem for Linux orcygwin will allow exploitation on Windows hosts.

Etienne Stalmans who found [a similar issue](https://staaldraad.github.io/post/2018-06-03-cve-2018-11235-git-rce/)earlier this year managed to exploit this argument injection [using `--template`](https://twitter.com/_staaldraad/status/1049241254939246592).